inspection of windows phone applications...- proximity communication using nfc app-to-app, wp8 13 ....
TRANSCRIPT
Inspection of Windows Phone applications
Dmitriy Evdokimov Andrey Chasovskikh
About us
Dmitriy ‘D1g1’ Evdokimov
- Security researcher at ERPScan
- Editor of Russian hacking magazine
- DEFCON Russia (DCG #7812) organizer
Andrey Chasovskikh
- Software developer
- Windows Phone addict
2
Agenda
- Windows Phone intro
- Security model
- All about applications
- Not all applications are secure
- Tools overview
- Deep dive: finding vulnerabilities
- Conclusion
3
WINDOWS PHONE INTRO
- The successor to the Windows Mobile OS
- 15 Mar 2010 – Windows Phone 7 series announced
- 21 Oct 2010 – Windows Phone 7 released
- 29 Oct 2012 – Windows Phone 8 released
History of Windows Phone
time
version
WP7 WP7 NoDo
WP7.5 Mango WP7.5 Tango
WP8
27 Sep 2011 29 Oct 2012 21 Oct 2011
5
Market share
Source: Gartner, November 2012
6
- 125 000+ applications
- Casual apps, social networks, mobile banking, enterprise applications etc.
Windows Phone Store
7
SECURITY MODEL
- Trusted Computing Base (TCB) Kernel, kernel-mode drivers
- Elevated Rights Chamber (ERC) Services, user-mode drivers
- Standard Rights Chamber (SRC) Pre-installed applications
- Least Privileged Chamber (LPC) Applications from WP store
Chamber concept, WP7
9
- Trusted Computing Base (TCB) Kernel, kernel-mode drivers
- Least Privileged Chamber (LPC) All other software: services, pre-installed apps,
application from WP store
Chamber concept, WP8
10
Capabilities
Windows Phone 7
- Camera
- Contacts
- Location services
- Owner/phone identity
- Network services
Etc.
Undocumented
- Native code
- SMS API
- Access to user properties
- SIM API
Etc.
WMAppManifest.xml
Windows Phone 8
- All WP7 capabilities
- NFC
- SD card access
- Wallet
- Speech recognition
- Front camera
Etc.
11
Sandboxing concept
App1
Isolated chamber
App2
Isolated chamber
Isolated storage for App1
Isolated storage for App2
- No app communication in WP7 - Limited app-to-app in WP8 - File system structure is hidden - Isolated storages
12
- File associations - LaunchFileAsync()
- Reserved: xap, msi, bat, cmd, py, jar etc
- URI associations - LaunchUriAsync()
- Reserved: http, tel, wallet, LDAP, rlogin, telnet etc
- Proximity communication using NFC
App-to-App, WP8
13
Isolated Storage
Isolated Storage
Isolated Settings Storage
Files
Database
Isolated File Storage
Directory
Physical File Storage
14
- Store applications are signed in WP7
- All binaries get signed since WP8
- Application file get signed - Kind of checksum file is put into applications
- Applications XAP files have undocumented format (since Aug 2012)
Signing
15
ALL ABOUT APPLICATIONS
.NET and CLR, WP7
Applications
Developer Platform (XAML, XNA, Device services)
.NET Compact Framework (BCL + Silverlight flavor)
WP7 OS, WinCE based
17
???
Framework
18
.NET and CLR, WP8
Applications
Developer Platform (XAML, XNA, Device services)
.NET Framework (CoreCLR)
WP8 OS, Win8 based
19
Framework
20
- Application assemblies
- Resources
- AppManifest.xaml
- WMAppManifest.xml
- WMInteropManifest.xml*
Application file structure
* — optional for WP7, absent in WP8
21
Submission and certification
App Creation App Submission XAP File
Validation
Adding Metadata
Certification Testing
Signing Publication in Marketplace
Source code
.xap
22
WP7:
\Applications
\Install\<ProductID>\Install\ - Content from XAP
- WMAppPRHeader.xml (package signature)
\Data\<ProductID>\Data\IsolatedStorage
Same idea in WP8, i.e. install path:
C:\Data\Programs\<ProductID>\Install\
Applications on a device
23
NOT ALL APPLICATIONS ARE SECURE
Security assessment
Server
Device/Emulator
Data channel
App
25
App
Prepare environment - Get app (unpack/decrypt) - Configuration device/emulator
Static analysis - Properties of program compilation - Metadata analysis - Code analysis
Dynamic analysis - How application works with file system/network - Runtime code analysis
Mobile applications security assessment
26
1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure
OWASP Top 10 Mobile Risks
27
WP vs. Android vs. iOS vulnerabilities
WP7 (C#/VB) WP8 (C#/VB/C/C++)
iOS (Objective-C)
Android (Java)
Note: Main programming languages in brackets
Platform independent vulnerabilities
Platform specific vulnerabilities
28
TOOLS OVERVIEW
- Device
- Full unlock
- Emulator
- Windows Phone Device Manager
- Network proxy: Burp Suite, Charles etc.
- .NET tools: .Net Reflector, ILSpy etc.
- IDA Pro
- RAIN, Boyan Balkanski
- Windows Phone App Analyzer, David Rook
- XAPSpy, Behrang Fouladi
- XapSpyAnalysis, David Rook
Arsenal
30
Static analysis is insufficient.
Lack of dynamic analysis tools:
• IDE allows debugging with source code only
• No programmable debugging interface
• Managed code
Main issue
31
Solution: static byte code instrumentation.
Tangerine
32
- Unpacking
- Removing application signature
- Resigning assemblies
- Packing
- Deploying
Automates routine with XAP files
33
- Application info
- Application capabilities
- Code analysis
- Code structure analysis
- API usage analysis
- View IL code
Static analysis
34
- Log application stack trace
- Method names
- Method parameters
- Return values
- Run custom code
- On method enter
- Replace method
- On method exit
- Change parameters values
Dynamic analysis
35
DEEP DIVE: FINDING VULNERABILITIES
DEMO
How it works
Target application
Instrumented application
Emulator
Emulator console Tangerine log
Instrumented application
Add hooks (1)
Resign and deploy
Hooked output (2)
Log data (2)
Repeat
(1) Changing CIL code
(2) Emulator console (writing/reading)
38
CIL Instrumentation
39
- Emulator only - Does not help to overcome obfuscated code - Does not work with system assemblies - Applications from store need to be decrypted - Windows Phone 7 only
Limitations
40
Cloud Compilation, WP8
CIL Assembly
C# Source Code
MDIL Assembly C# Compiler
MDIL Compiler
Cloud
MDIL Assembly
Native Image Generator
Native DLL
Device
Download
Run
41
MDIL in work
42
R0 = this R1 = a R0 + 0x10 = j, where j is a field from base class
MDILDump
43
http://github.com/WalkingCat/mdildump/
- Support Windows Phone 8 applications
- MDIL instrumentation
- Windows Phone RT
- Add new features
- Code graphical representation
- Data flow analysis
- Fix bugs ;)
Future work
44
CONCLUSION
- Greater attack surface in WP8
- App-to-App
- Applications that use native code
- New technologies
- Logical bugs never die
Conclusion
46
- Evgeny Bechkalo
- DSecRG team
Thanks
47
Q&A
Dmitry Evdokimov [email protected] @evdokimovds Andrey Chasovskikh http://andreycha.info @andreycha Tangerine: http://github.com/andreycha/tangerine